1*** Settings *** 2 3Documentation VMI certificate exchange tests. 4 5Resource ../../lib/resource.robot 6Resource ../../lib/bmc_redfish_resource.robot 7Resource ../../lib/openbmc_ffdc.robot 8Resource ../../lib/bmc_redfish_utils.robot 9Resource ../../lib/utils.robot 10 11Suite Setup Suite Setup Execution 12Test Teardown FFDC On Test Case Fail 13Suite Teardown Suite Teardown Execution 14 15 16*** Variables *** 17 18# users User Name password 19@{ADMIN} admin_user TestPwd123 20@{OPERATOR} operator_user TestPwd123 21@{ReadOnly} readonly_user TestPwd123 22@{NoAccess} noaccess_user TestPwd123 23&{USERS} Administrator=${ADMIN} Operator=${OPERATOR} ReadOnly=${ReadOnly} 24... NoAccess=${NoAccess} 25${VMI_BASE_URI} /ibm/v1/ 26${CSR_FILE} csr_server.csr 27${CSR_KEY} csr_server.key 28 29*** Test Cases *** 30 31Get CSR Request Signed By VMI And Verify 32 [Documentation] Get CSR request signed by VMI using different user roles and verify. 33 [Tags] Get_CSR_Request_Signed_By_VMI_And_Verify 34 [Setup] Redfish Power On 35 [Template] Get Certificate Signed By VMI 36 37 # username password force_create valid_csr valid_status_code 38 ${OPENBMC_USERNAME} ${OPENBMC_PASSWORD} ${True} ${True} ${HTTP_OK} 39 40 # Send CSR request from operator user. 41 operator_user TestPwd123 ${False} ${True} ${HTTP_FORBIDDEN} 42 43 # Send CSR request from ReadOnly user. 44 readonly_user TestPwd123 ${False} ${True} ${HTTP_FORBIDDEN} 45 46 # Send CSR request from NoAccess user. 47 noaccess_user TestPwd123 ${False} ${True} ${HTTP_FORBIDDEN} 48 49 50Get Root Certificate Using Different Privilege Users Roles 51 [Documentation] Get root certificate using different users. 52 [Tags] Get_Root_Certificate_Using_Different_Users 53 [Setup] Redfish Power On 54 [Template] Get Root Certificate 55 56 # username password force_create valid_csr valid_status_code 57 # Request root certificate from admin user. 58 admin_user TestPwd123 ${True} ${True} ${HTTP_OK} 59 60 # Request root certificate from operator user. 61 operator_user TestPwd123 ${False} ${True} ${HTTP_FORBIDDEN} 62 63 # Request root certificate from ReadOnly user. 64 readonly_user TestPwd123 ${False} ${True} ${HTTP_FORBIDDEN} 65 66 # Request root certificate from NoAccess user. 67 noaccess_user TestPwd123 ${False} ${True} ${HTTP_FORBIDDEN} 68 69 70Send CSR Request When VMI Is Off And Verify 71 [Documentation] Send CSR signing request to VMI when it is off and expect an error. 72 [Tags] Get_CSR_Request_When_VMI_Is_Off_And_verify 73 [Setup] Redfish Power Off 74 [Template] Get Certificate Signed By VMI 75 76 # username password force_create valid_csr valid_status_code 77 ${OPENBMC_USERNAME} ${OPENBMC_PASSWORD} ${True} ${True} ${HTTP_INTERNAL_SERVER_ERROR} 78 79 # Send CSR request from operator user. 80 operator_user TestPwd123 ${False} ${True} ${HTTP_FORBIDDEN} 81 82 # Send CSR request from ReadOnly user. 83 readonly_user TestPwd123 ${False} ${True} ${HTTP_FORBIDDEN} 84 85 # Send CSR request from NoAccess user. 86 noaccess_user TestPwd123 ${False} ${True} ${HTTP_FORBIDDEN} 87 88Get Corrupted CSR Request Signed By VMI And Verify 89 [Documentation] Send corrupted CSR for signing and expect an error. 90 [Tags] Get_Corrupted_CSR_Request_Signed_By_VMI_And_Verify 91 [Setup] Redfish Power On 92 [Template] Get Certificate Signed By VMI 93 94 # username password force_create valid_csr valid_status_code 95 ${OPENBMC_USERNAME} ${OPENBMC_PASSWORD} ${True} ${False} ${HTTP_INTERNAL_SERVER_ERROR} 96 97 # Send CSR request from operator user. 98 operator_user TestPwd123 ${False} ${False} ${HTTP_FORBIDDEN} 99 100 # Send CSR request from ReadOnly user. 101 readonly_user TestPwd123 ${False} ${False} ${HTTP_FORBIDDEN} 102 103 # Send CSR request from NoAccess user. 104 noaccess_user TestPwd123 ${False} ${False} ${HTTP_FORBIDDEN} 105 106Get Root Certificate When VMI Is Off And Verify 107 [Documentation] Get root certificate when vmi is off and verify. 108 [Tags] Get_Root_Certificate_When_VMI_Is_Off_And_Verify 109 [Setup] Redfish Power Off 110 [Template] Get Root Certificate 111 112 # username password force_create valid_csr valid_status_code 113 ${OPENBMC_USERNAME} ${OPENBMC_PASSWORD} ${True} ${True} ${HTTP_OK} 114 115 # Request root certificate from operator user. 116 operator_user TestPwd123 ${False} ${True} ${HTTP_FORBIDDEN} 117 118 # Request root certificate from ReadOnly user. 119 readonly_user TestPwd123 ${False} ${True} ${HTTP_FORBIDDEN} 120 121 # Request root certificate from NoAccess user. 122 noaccess_user TestPwd123 ${False} ${True} ${HTTP_FORBIDDEN} 123 124 125Get Root Certificate After BMC Reboot And Verify 126 [Documentation] Get root certificate after bmc reboot and verify. 127 [Tags] Get_Root_Certificate_After_BMC_Reboot_And_Verify 128 [Setup] Run Keywords OBMC Reboot (off) AND Redfish Power On 129 [Template] Get Root Certificate 130 131 # username password force_create valid_csr valid_status_code 132 ${OPENBMC_USERNAME} ${OPENBMC_PASSWORD} ${True} ${True} ${HTTP_OK} 133 134 # Request root certificate from operator user. 135 operator_user TestPwd123 ${False} ${True} ${HTTP_FORBIDDEN} 136 137 # Request root certificate from ReadOnly user. 138 readonly_user TestPwd123 ${False} ${True} ${HTTP_FORBIDDEN} 139 140 # Request root certificate from NoAccess user. 141 noaccess_user TestPwd123 ${False} ${True} ${HTTP_FORBIDDEN} 142 143*** Keywords *** 144 145Generate CSR String 146 [Documentation] Generate a csr string. 147 148 # Note: Generates and returns csr string. 149 ${ssl_cmd}= Set Variable openssl req -new -newkey rsa:2048 -nodes -keyout ${CSR_KEY} -out ${CSR_FILE} 150 ${ssl_sub}= Set Variable 151 ... -subj "/C=XY/ST=Abcd/L=Efgh/O=ABC/OU=Systems/CN=abc.com/emailAddress=xyz@xx.ABC.com" 152 153 # Run openssl command to create a new private key and use that to generate a CSR string 154 # in server.csr file. 155 ${output}= Run ${ssl_cmd} ${ssl_sub} 156 ${csr}= OperatingSystem.Get File ${CSR_FILE} 157 158 [Return] ${csr} 159 160 161Send CSR To VMI And Get Signed 162 [Arguments] ${csr} ${force_create} ${username} ${password} 163 164 # Description of argument(s): 165 # csr Certificate request from client to VMI. 166 # force_create Create a new REST session if True. 167 # username Username to create a REST session. 168 # password Password to create a REST session. 169 170 Run Keyword If "${XAUTH_TOKEN}" != "${EMPTY}" or ${force_create} == ${True} 171 ... Initialize OpenBMC rest_username=${username} rest_password=${password} 172 173 ${data}= Create Dictionary 174 ${headers}= Create Dictionary X-Auth-Token=${XAUTH_TOKEN} 175 ... Content-Type=application/json 176 177 ${cert_uri}= Set Variable ${VMI_BASE_URI}Host/Actions/SignCSR 178 179 # For SignCSR request, we need to pass CSR string generated by openssl command. 180 ${csr_data}= Create Dictionary CsrString ${csr} 181 Set To Dictionary ${data} data ${csr_data} 182 183 ${resp}= Post Request openbmc ${cert_uri} &{data} headers=${headers} 184 185 [Return] ${resp} 186 187 188Get Root Certificate 189 [Documentation] Get root certificate from VMI. 190 [Arguments] ${username}=${OPENBMC_USERNAME} ${password}=${OPENBMC_PASSWORD} 191 ... ${force_create}=${False} ${valid_csr}=${True} ${valid_status_code}=${HTTP_OK} 192 193 # Description of argument(s): 194 # cert_type Type of the certificate requesting. eg. root or SignCSR. 195 # username Username to create a REST session. 196 # password Password to create a REST session. 197 # force_create Create a new REST session if True. 198 # valid_csr Uses valid CSR string in the REST request if True. 199 # This is not applicable for root certificate. 200 # valid_status_code Expected status code from REST request. 201 202 Run Keyword If "${XAUTH_TOKEN}" != "${EMPTY}" or ${force_create} == ${True} 203 ... Initialize OpenBMC rest_username=${username} rest_password=${password} 204 205 ${data}= Create Dictionary 206 ${headers}= Create Dictionary X-Auth-Token=${XAUTH_TOKEN} 207 ... Content-Type=application/json 208 209 ${cert_uri}= Set Variable ${VMI_BASE_URI}Host/Certificate/root 210 211 ${resp}= Get Request openbmc ${cert_uri} &{data} headers=${headers} 212 213 Should Be Equal As Strings ${resp.status_code} ${valid_status_code} 214 Return From Keyword If ${resp.status_code} != ${HTTP_OK} 215 216 ${cert}= Evaluate json.loads('''${resp.text}''', strict=False) json 217 Should Contain ${cert["Certificate"]} BEGIN CERTIFICATE 218 Should Contain ${cert["Certificate"]} END CERTIFICATE 219 220 221Get Subject 222 [Documentation] Generate a csr string. 223 [Arguments] ${file_name} ${is_csr_file} 224 225 # Description of argument(s): 226 # file_name Name of CSR or signed CERT file. 227 # is_csr_file A True value means a CSR while a False is for signed CERT file. 228 229 ${subject}= Run Keyword If ${is_csr_file} Run openssl req -in ${file_name} -text -noout | grep Subject: 230 ... ELSE Run openssl x509 -in ${file_name} -text -noout | grep Subject: 231 232 [Return] ${subject} 233 234 235Get Public Key 236 [Documentation] Generate a csr string. 237 [Arguments] ${file_name} ${is_csr_file} 238 239 # Description of argument(s): 240 # file_name Name of CSR or CERT file. 241 # is_csr_file A True value means a CSR while a False is for signed CERT file. 242 243 ${PublicKey}= Run Keyword If ${is_csr_file} Run openssl req -in ${file_name} -noout -pubkey 244 ... ELSE Run openssl x509 -in ${file_name} -noout -pubkey 245 246 [Return] ${PublicKey} 247 248 249Get Certificate Signed By VMI 250 [Documentation] Get signed certificate from VMI. 251 [Arguments] ${username}=${OPENBMC_USERNAME} ${password}=${OPENBMC_PASSWORD} 252 ... ${force_create}=${False} ${valid_csr}=${True} ${valid_status_code}=${HTTP_OK} 253 254 # Description of argument(s): 255 # cert_type Type of the certificate requesting. eg. root or SignCSR. 256 # username Username to create a REST session. 257 # password Password to create a REST session. 258 # force_create Create a new REST session if True. 259 # valid_csr Uses valid CSR string in the REST request if True. 260 # This is not applicable for root certificate. 261 # valid_status_code Expected status code from REST request. 262 263 Set Test Variable ${CSR} CSR 264 Set Test Variable ${CORRUPTED_CSR} CORRUPTED_CSR 265 266 ${CSR}= Generate CSR String 267 ${csr_left} ${csr_right}= Split String From Right ${CSR} == 1 268 ${CORRUPTED_CSR}= Catenate SEPARATOR= ${csr_left} \N ${csr_right} 269 270 # For SignCSR request, we need to pass CSR string generated by openssl command 271 ${csr_str}= Set Variable If ${valid_csr} == ${True} ${CSR} ${CORRUPTED_CSR} 272 273 ${resp}= Send CSR To VMI And Get Signed ${csr_str} ${force_create} ${username} ${password} 274 275 Should Be Equal As Strings ${resp.status_code} ${valid_status_code} 276 Return From Keyword If ${resp.status_code} != ${HTTP_OK} 277 278 ${cert}= Evaluate json.loads('''${resp.text}''', strict=False) json 279 Should Contain ${cert["Certificate"]} BEGIN CERTIFICATE 280 Should Contain ${cert["Certificate"]} END CERTIFICATE 281 282 # Now do subject and public key verification 283 ${subject_csr}= Get Subject ${CSR_FILE} True 284 ${pubKey_csr}= Get Public Key ${CSR_FILE} True 285 286 # create a crt file with certificate string 287 ${signed_cert}= Set Variable ${cert["Certificate"]} 288 289 Create File test_certificate.crt ${signed_cert} 290 ${subject_signed_csr}= Get Subject test_certificate.crt False 291 ${pubKey_signed_csr}= Get Public Key test_certificate.crt False 292 293 Should be equal as strings ${subject_signed_csr} ${subject_csr} 294 Should be equal as strings ${pubKey_signed_csr} ${pubKey_csr} 295 296 297Suite Setup Execution 298 [Documentation] Suite setup execution. 299 300 # Create different user accounts. 301 Redfish.Login 302 Create Users With Different Roles users=${USERS} force=${True} 303 304 305Suite Teardown Execution 306 [Documentation] Suite teardown execution. 307 308 Delete BMC Users Via Redfish users=${USERS} 309 Delete All Sessions 310 Redfish.Logout 311